2447090 – (CVE-2026-32236) CVE-2026-32236 @backstage/plugin-auth-backend: @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Bug 2447090 (CVE-2026-32236) - CVE-2026-32236 @backstage/plugin-auth-backend: @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Summary: CVE-2026-32236 @backstage/plugin-auth-backend: @backstage/plugin-auth-backend...

Keywords:
Status:	NEW
Alias:	CVE-2026-32236
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-12 19:02 UTC by OSIDB Bzimport
Modified:	2026-03-12 23:15 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-12 19:02:16 UTC

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.

Note You need to log in before you can comment on or make changes to this bug.